Bugtraq mailing list archives

Re: procmail / Sendmail - five bugs

From: robert.e.jones () CWO COM AU (Rob Jones)
Date: Tue, 21 Dec 1999 14:38:44 +1100

a) Sendmail (tested with 8.9.3 and previous) allows you to put mail
   addressed to eg. '|/bin/sh' (or any file) into mail queue. Fortunately,
   this queue file should contain also line like 'Croot' to be processed
   properly, while we have no idea how to put it there. But, anyway,
   seems to be dangerous - Sendmail should reject such crap immediately:

   /usr/sbin/sendmail -O 'DeliveryMode=d' '""|/bin/sh'

  (without these double-quotes, it _will_ immediately drop your message)


with or without these double-quotes the message is immediately dropped
on redhat linux with the message

[rob@greedo rob]$ /usr/sbin/sendmail -O 'DeliveryMode=d' '""|/bin/sh'
""|/bin/sh... User unknown

[rob@greedo rob]$ /usr/sbin/sendmail -O 'DeliveryMode=d' '|/bin/sh'
|/bin/sh... Cannot mail directly to programs

Same hapens if I am root or try remotely.

Rob

Current thread:

Re: Groupewise Web Interface, (continued)
- - - Re: Groupewise Web Interface Bayard G. Bell (Dec 21)
    - Announcement: Solaris loadable kernel module backdoor plasmoid (Dec 20)
    - Re: Announcement: Solaris loadable kernel module backdoor pedward () WEBCOM COM (Dec 21)
    - Re: Announcement: Solaris loadable kernel module backdoor Marc Esipovich (Dec 22)
    - Re: Announcement: Solaris loadable kernel module backdoor Steven Alexander (Dec 23)
    - Re: Announcement: Solaris loadable kernel module backdoor Rainer Link (Dec 22)
    - Re: Announcement: Solaris loadable kernel module backdoor Keith Owens (Dec 22)
    - Re: Groupewise Web Interface satherrl () MAILPOINT DSSRG CURTIN EDU AU (Dec 21)
    - Norton Email Protection Remote Overflow (Addendum) Matt Conover (Dec 20)
    - procmail / Sendmail - five bugs Michal Zalewski (Dec 23)
    - Re: procmail / Sendmail - five bugs Rob Jones (Dec 20)
    - Re: procmail / Sendmail - five bugs Michal Zalewski (Dec 22)
    - FTPPro insecuities The Wall (Dec 27)
    - serious Lotus Domino HTTP denial of service Alain Thivillon (Dec 21)
    - More details on the WU-FTPD configuration vulnerability. suid (Dec 21)
    - Microsoft Security Bulletin (MS99-058) Aleph One (Dec 21)
    - Microsoft Security Bulletin (MS99-061) Aleph One (Dec 21)
    - More Netscape Passwords Available. Rob Jones (Dec 21)
    - UnixWare i2odialogd remote root exploit Brock Tellier (Dec 21)
    - IE 5.01 vulnerabilities in external.NavigateAndFind() Georgi Guninski (Dec 22)
    - Solaris 2.7 dmispd local/remote problems Brock Tellier (Dec 22)

(Thread continues...)